Renze Munnik: Are gross risks of any use?

October 24, 2023

^{This column was originally written in Dutch. This is an English translation.}

By Renze Munnik, Risk Management Consultant at Probability & Partners

In theory, every risk manager starts by estimating the gross risk. In practice, however, the usefulness and necessity of this first step are increasingly under discussion. However, it is unwise to throw the baby out with the bathwater.

Theory

The theory states that as a risk manager you must first estimate the risk in a situation in which no control measures have (yet) been taken and only then take into account the control measures already taken. The risk in a situation without control measures is called 'gross risk'.

Why is it necessary to estimate a gross risk at all? Aren't there control measures already in place? Estimating the gross risk serves on the one hand to determine how great the misery could be if those measures do not work and on the other hand to find out whether too many measures have been taken. In that case, the net risk would become lower than necessary and the costs of control would be too high.

Practice

In practice, I see more and more discussion about whether the assessment of gross risks is useful. People are increasingly inclined to call the status quo (i.e. the net risk) the gross risk and the desired situation (i.e. with additional measures) the net risk. And there is something to be said for that. You already have what is there now and you should pay particular attention to the steps you still want to take to improve. And then you don't want to waste time thinking about a situation that isn't happening anyway.

The gross risk

When determining the gross risk, there is always discussion about what exactly is meant by a 'situation without controls'. Are there no controls at all, or just a few controls? And what are those few? Sometimes it is not realistic to assume that there are no controls at all. And in some cases, it is. And sometimes it doesn't seem realistic, but maybe it is.

A house has a front door. It is unrealistic to assume that there is no front door. So when we look at the risk of a burglary, we roughly assume that there is a front door. And perhaps a lock too. Because a house without a lock on the front door is not realistic. Thinking about that is a waste of time. So what is it all about? What then are the measures between gross and net? For example, thieves' claws, an extra strong lock, an alarm system, a watchdog, etc.

A practical example

But in reality it sometimes turns out to be different.

I have seen at an organization that the authentication of the system did not work. The server that was supposed to authenticate the user (who are you?) was not working. Then no one can log in anymore. And so you can't work. Solution: turn off authentication. As soon as the server is restored, we will enable the control again.

You can compare that with when the lock on your front door is closed. You can no longer get your key in the lock. You can't go in anymore. Solution? Out the front door. As soon as the lock has been repaired, we will put the door back in place.

And in the meantime? In the meantime, anyone can just walk in.

And don't just assume that this doesn't happen at your organization. Situations like this really do happen.

Awareness

Apart from the technical side of such a situation, it is about awareness. The system may have a problem. But how do you deal with that as a person? People must be aware of what they are doing and what they can or may do.

So you have to make people aware that they cannot simply turn off the security because that is more convenient.

But they are adults. If you tell them that they are not allowed to do that, you must also give a valid reason. And that's not 'because I said so', or 'that's why'. No, the explanation is: 'Because otherwise people can enter who should not be there. And those people can change or steal data, and they can install viruses and (other) malware that later corrupt, redirect and block the data (ransomware).'

So you explain what the situation is if there is no security. You explain what can happen without control. In other words, you tell what the gross risk is.

If you don't know what the gross risk is, what are you going to tell your colleagues, employees and outsourcing parties? These measures should be there 'because we think so', 'because they have always been there', 'because everyone has them', 'because that is just logical'?

Just a little attention

It is therefore not surprising to occasionally consider gross risks.

And of course I understand that given a status quo, most attention is paid to the net risk and (especially) to the step to the desired risk level. After all, you do not want to end up in endless discussions about an assessment of the gross risk after the decimal point. But you must be well aware of the reason why you have taken the measures. Colleagues, employees and outsourcing parties must also be aware of this. Only then can you expect them to make the right choices when a certain situation arises.

Probability & Partners is a Risk Advisory Firm that provides integrated risk management and quantitative modeling solutions to the financial sector and data-driven enterprises.

More columns by Renze Munnik